[Swan-dev] libreswan-git/klips doesn't remove old ip addresses from ipsec device

Paul Wouters paul at nohats.ca
Wed May 7 18:14:13 EEST 2014


On Wed, 7 May 2014, Wolfgang Nothdurft wrote:

> If the ip address of a dynamic base device changes the old ip address will 
> not removed even after an ipsec restart.
>
> The problem was introduced with the
>
> commit eafef8377e6aa5be0001d4b61c48cbee3e8097c4
> Author: Paul Wouters <pwouters at redhat.com>
> Date:   Fri Mar 28 19:05:56 2014 -0400
>
>    _stackmanager: optimize unloading stacks
>
> https://lists.libreswan.org/pipermail/swan-commit/2014-March/001055.html
>
> With this change the ipsec modules won't be unloaded on stop.
>
> Should it be part of the network scripts to care about an ip address change 
> and removing it from the ipsec device?
>
> What is the recommend procedure that the network scripts have to do when the 
> ip address changed?
>
> I think one simple solution were to flush the ip from ipsec after clearing 
> the eroutes or replacing the ip instead of adding id in the startklips 
> function.

You would have to delete the IP and the aliases too, so that's not
trivial as aliases can be added in the old and new method.

As the above fix was mostly meant for the NETKEY/XFRM unloading issues,
I've just pushed a change that will unload KLIPS when stop is called
and which won't unload netkey modules unless changing to klips:

diff --git a/programs/_stackmanager/_stackmanager.in
b/programs/_stackmanager/_stackmanager.in
index d2f52fb..d19091a 100644
--- a/programs/_stackmanager/_stackmanager.in
+++ b/programs/_stackmanager/_stackmanager.in
@@ -434,19 +434,16 @@ esac

  case ${action} in
      stop)
-       # We don't unload on stop - only when we detect a stack change.
         We do try and cleanup state
-       case ${stack} in
-           netkey)
+       # We don't unload NETKEY/XFRM on stop - only when we detect a stack change.
+       if [ -f ${ipsecpfkey} ]; then
+               ipsec eroute --clear
+               # this clears all IP addresses on ipsecX interfaces by unloading the module
+               stopklips()
+       elif [ -f ${kamepfkey} ]; then
                 ip xfrm state flush
                 ip xfrm policy flush
-               ;;
-           klips)
-               ipsec eroute --clear
-               ;;
-           mast)
-               ipsec eroute --clear
-               ;;
-       esac
+               # module unloading skipped on purpose - can hang for a long time or fail
+       fi
         ;;
      start)
         case ${stack} in

Hope this addresses your issue,

Paul


More information about the Swan-dev mailing list